Ubisoft acknowledges major Uplay security flaw

30 Jul 2012 by Peter Parrish

A flaw in Ubisoft's 'Uplay' software, the overlay which doubles as a social area and DRM system for the majority of Ubisoft's recent titles, has been acknowledged by the publisher. Uplay, it seems, quietly installed a browser-based plugin that further allowed Ubisoft to keep an eye on your PC gaming activities. Unfortunately, as this plugin's primary task appears to have been to execute commands remotely, it had a few exploitable loopholes.
Ubisoft has issued a statement and an emergency patch (updating Uplay to version 2.04) which it claims will solve the problem. It reads as follows:
"We have made a forced patch to correct the flaw in the browser plug-in for the Uplay PC application that was brought to our attention earlier today. We recommend that all Uplay users update their Uplay PC application without a Web browser open. This will allow the plug-in to update correctly. An updated version of the Uplay PC installer with the patch also is available from Uplay.com.
Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues."
That should take care of the security issue, but it doesn't really explain why Ubisoft felt the need to sneakily install some extra bits and pieces on all of our PCs without telling anyone. Especially a browser plugin which (theoretically) had blanket access to a user's system.
If you'd like to manually disable the plug-in, here's where to find it in various browsers:
Firefox:
Tools – Add-ons – Plugins – Disable the Uplay and Uplay PC Hub plugins
Chrome:
Visit about:plugins and disable
Opera:
Settings – Preferences – Advanced – Downloads – Search “Uplay”, delete

A flaw in Ubisoft’s ‘Uplay’ software, the overlay which doubles as a social area and DRM system for the majority of Ubisoft’s recent titles, has been acknowledged by the publisher. Uplay, it seems, quietly installed a browser-based plugin that further allowed Ubisoft to keep an eye on your PC gaming activities. Unfortunately, as this plugin’s primary task appears to have been to execute commands remotely, it had a few exploitable loopholes.

Ubisoft has issued a statement and an emergency patch (updating Uplay to version 2.04) which it claims will solve the problem. It reads as follows:

“We have made a forced patch to correct the flaw in the browser plug-in for the Uplay PC application that was brought to our attention earlier today. We recommend that all Uplay users update their Uplay PC application without a Web browser open. This will allow the plug-in to update correctly. An updated version of the Uplay PC installer with the patch also is available from Uplay.com.

Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.”

That should take care of the security issue, but it doesn’t really explain why Ubisoft felt the need to sneakily install some extra bits and pieces on all of our PCs without telling anyone. Especially a browser plugin which (theoretically) had blanket access to a user’s system.

If you’d like to manually disable the plug-in, here’s where to find it in various browsers: